Backbone Cairo

7/30/2019 Backbone Cairo

1/43

Introduction toComputer Networking &

Security


2/43

2/21

1. Introduction

2. The OSI model

3. Switches

4. Routing

5. Introduction to Backbone design

6. Introduction to Security

i. Firewalls

ii. VPNs

iii. AAA

Contents


3/43

3/21

Network topologies

Introduction


4/43

4/21

Layer Name

7 Application

6 Presentation

5 Session

4 Transport

3 Network

2 Data Link

1 Physical

Open Systems Inter-connection (OSI) Layers

The OSI Model


5/43

5/21

Link layer device:

stores and forwards Ethernet frames

examines frame header and selectively forwards frame basedon MAC dest address

Transparent:

hosts are unaware of presence of switches

Plug-and-play:

switches do not need to be configured

Switches have interfaces more than Hubs

Switch:A-to-A and B-to-B simultaneously, no collisions

A-to-A and A-to-A simultaneously, full duplex

switch

A

A

B

B

C

C

Switches


6/43

6/21

Self learning:

A switch has a switch table

entry in switch table:

(MAC Address, Interface, Age)

Stale entries in table dropped (Age can be 60 min)

switch learns which hosts can be reached through which interfaces

When frame received, switch learns location of sender: incomingLAN segment

Records sender/location pair in switch table

Switches [Contd]


7/43

7/21

Mac Addresses 6 bytes long represented as 12 digit hexadecimal number

example : 00-14-22-C9-5B-69

VLANs and trunking

STP (spanning tree protocol) Spanning-Tree Protocol (STP) prevents loops from being formed

when switches or bridges are interconnected via multiple paths

Spanning-Tree Protocol implements the 802.1D IEEE algorithmby exchanging BPDU messages with other switches to detect

loops, and then removes the loop by shutting down selectedbridge interfaces

This algorithm guarantees that there is one and only one activepath between two network devices

Switches [Contd]


8/43

8/21

1. Introduction

2. The OSI model

3. Switches

4.Routing5. Introduction to Backbone design

6. Introduction to Securityi. Firewalls

ii. VPNs

iii. AAA

Contents


9/43

9/21

Routing

IP Addresses IP Classes

Private IP Ranges

Subnetting

Routing

Routing scenario


10/43

10/21

IP Addresses


11/43

11/21

Subnetting

Given an ip address from a class C range (192.168.100.5) with subnet

mask 255.255.255.240 ( / 28),then how many hosts can exist in the samesubnet ? and how many subnets can be used within the same class C ?

First:

Comparing with the default mask (/24) , we are Using 4 bits for subnetting,this gives (2^4=16)subnets with ((2^4)-2=14)host per subnet.

Second:

AND between 192.168.100.5 and 255.255.255.240,

192.168.100.00000101

255.255.255.11110000

= 192.168.100.00000000

This host belongs to Subnet number is : 192.168.100.0 mask255.255.255.240


12/43

12/21

Subnetting (cont.)

Then we can write this as :

Subnet 0 : 192.168.100.0

start ip : 192.168.100.1

end ip : 192.168.100.14

Subnet 1: 192.168.100.16start ip : 192.168.100.17

end ip : 192.168.100.30

Subnet 16 : 192.168.100.240

start ip : 192.168.100.241

end ip : 192.168.100.254


13/43

13/21

Routing steps

Longest match in the routing table Lowest admin distance

Default route (gateway of last resort)

Forwarding the packet

Routing Protocols Static Routing

Dynamic Routing

Routing


14/43

14/21

Routing Scenario

PC1R2R1

PC2

SW1 SW2

S.IP D.IP S.MAC D.MAC


15/43

15/21

1. Introduction2. The OSI model

3. Switches

4. Routing

5. Introduction to Backbonedesign

6. Introduction to Security

i. Firewalls

ii. VPNs

iii. AAA

Contents


16/43

16/21

MPLS

Why Is MPLS? What MPLS?

MPLS network components.

Label Distribution in MPLS Networks

Building MPLS-Based Services

L3 MPLS VPNs

Building a legacy Backbone ( IGP , BGP ,MPLS )


17/43

17/21

MPLS


18/43

18/21

Why MPLS?

Needed a single infrastructure that supports multitude of

applications in a secure manner

Load balance traffic to utilize network bandwidth efficiently

Allow core routers/networking devices to switch packets

based on some simplified header Leverage hardware so that simple forwarding paradigm can

be used


19/43

19/21

What Is MPLS?

Multi Protocol Label Switching is a technology for

delivery of IP services.

MPLS technology switches packets (IP packets, AAL5frames) instead of routing packets to transport the data.

MPLS packets can run on other Layer 2 technologiessuch as ATM, FR, PPP, POS, Ethernet.

Other Layer 2 technologies can be run over anMPLS network.


20/43

MPLS Network components.MPLS core, MPLS Edge, Remote Customer Sites

1. At Ingress Edge:

Label impositionClassify & Label

packets

2. In the Core:

Label swapping orswitching

Forward using labels (not IPaddr). Label indicates serviceclass and destination

Label Switch Router(LSR) or P (Provider)router

Router OR ATM switch +

label switch controller

Edge Label SwitchRouter OR(ATM Switch/ Router)

Provider Edge- PE

3. At Egress Edge:

Label disposition

Remove labels and forwardpackets

CustomerA

CustomerB

COS/EXP = Class of Service: 3 Bits; S = Bottom of Stack; TTL = Time to Live

0 1 2 3

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

Label 20bits EXP S TTL-8bits

PE P

P

PE


21/43

21/21

Label Distribution Protocol Operations

Discovery Mechanisms

Session Establishment

Label Distribution and Management

Label Binding

Label AdvertisementLabel Distribution


22/43

22/21

LDP Peer Discovery Mechanism

Basic Neighbor discovery

Discover directly attached neighborspt-to-pt links (including Ethernet)

LDP link Hellos are sent periodically using UDP port 646

Establish a session & Exchange prefix/FEC & label information

Extended neighbor discovery

Establish peer relationship with a non-directly connected router

LDP Targeted Hellos are sent using UDP port 646

Exchange FEC and label information

May be needed to exchange service labels

LSRs discover LDP peers by exchanging LDPHello messages


23/43

IP Packet Forwarding Example

0

1

1

128.89

171.69

0

128.89.25.4 Data 128.89.25.4 Data

128.89.25.4 Data 128.89.25.4 Data

Packets ForwardedBased on IP Address

128.89

171.69

Address

PrefixI/F

1

1

128.89

171.69

Address

PrefixI/F

0

1

128.89

171.69

Address

Prefix I/F

0

1


24/43

MPLS with Downstream Unsolicitedmodestep I Core Routing Convergence

128.89

171.69

1

01

InLabel AddressPrefix

128.89

171.69

OutIface

1

1

OutLabel InLabel AddressPrefix

128.89

171.69

OutIface

0

1


128.89

OutIface

0

OutLabel

0

You Can Reach 171.69 Thru Me

You Can Reach 128.89 and

171.69 Thru Me

Routing Updates

(OSPF, EIGRP, )

You Can Reach 128.89 Thru Me

MP S i h D U li i d


25/43

1

Use Label 7 for 171.69

Use Label 4 for 128.89 and



128.89

01

0

Label Distribution

Protocol (LDP)(Downstream Allocation)

171.69


128.89

171.69

OutIface

1

1


128.89

171.69

OutIface

0

1


128.89

OutIface

0

OutLabel

4

5

-

-

9

7

4

5

-

9

MPLS with Downstream Unsolicitedmode stepII: Assigning labels

MPLS ith D t U li it d


26/43

1

0

1

128.89.25.4 Data4128.89.25.4 Data

128.89.25.4 Data

128.89.25.4 Data9

Label Switch Forwards

Based on Label

128.890

171.69


128.89

171.69

OutIface

1

1


128.89

171.69

OutIface

0

1


128.89

OutIface

0

OutLabel

4

5

-

-

9

7

4

5

-

9

MPLS with Downstream Unsolicitedmode stepIII: Forwarding Packets


27/43

27/21

Building MPLS-BasedServices


28/43

28/21

What Is a Virtual Private Network?

VPN is a set of sites orgroups which are allowed to communicate witheach other

VPN is defined by a set of administrative policies

Policies established by VPN customers

Policies could be implemented completely by VPN service providers

Flexible inter-site connectivity

Ranging from complete to partial mesh

Sites may be either within the same or in different organizations

VPN can be either intranet or extranet

Site may be in more than one VPN VPNs may overlap

Not all sites have to be connected to the same service provider

VPN can span multiple providers


29/43

29/21

VPN A

VPN B

VPN CVPN A VPN B

VPN C

VPN A

VPN B

VPN CVPN A

VPN C

VPN B

Hosting

Multicast

VoIP

Intranet

Extranet

IP L3 vs. MPLS L3 VPNs

Overlay VPN

ACLs, ATM/FR, IP tunnels, IPSec, etc requiring n*(n-1)

peering points

Transport dependent

Groups endpoints, not groups

Pushes content outside the network

Costs scale exponentially

NAT necessary for overlapping address space

Limited scaling

QoS complexity

MPLS-Based VPNs

Point to Cloud single point of connectivity

Transport independent

Easy grouping of users and services

Enables content hosting inside the network

Flat cost curve

Supports private overlapping IP addresses

Scalable to over millions of VPNs

Per VPN QoS


30/43

30/21

How Does It Work?MPLS L3 VPN Control Plane Basics

VRF

VRF

VRF

LDP LDPLDP

iBGPVPNv4Label Exchange

iBGPVPNv4 iBGPVPNv4

PE1PE3

PE2

CE1

CE4

CE3

1. VPN service is enabled on PEs (VRFs are created and applied to VPN site interface)

2. VPN sites CE1 connects to a VRF enabled interface on a PE1

3. VPN site routing by CE1 is distributed to MP-iBGP on PE1

4. PE1 allocates VPN label for each prefix, sets itself as a next hop and relays VPN site

routes to PE3

5. PE3 distributes CE1s routes to CE2

(Similar happens from CE2 side)

CE2

P1 P2

VRF VRF


31/43

31/21

How Does it work?How control plane information is separated

MPLS VPN Control Plane Components: Route Distinguisher: 8 byte fieldunique value assigned by a provider to each VPN to make a route unique

so customers dont see each others routes

VPNv4 address: RD+VPN IP prefix;

Route Target: RT-8bytes field, unique value assigned by a provider to define the import/export rules for theroutes from/to each VPN

MP-BGP: facilitates the advertisement of VPNv4* prefixes + labels between MP-BGP peers

Virtual Routing Forwarding Instance (VRF): contains VPN site routes

Global Table: Contains core routes, Internet or routes to other services

PE1

P1 P2

PE2

CE2CE1

IPv4 RouteExchange

VPN-IPv4

Net=RD:16.1/16NH=PE1Route Target100:1Label=42

16.1/16

IGP/eBGPNet=16.1/16

IGP/eBGPNet=16.1/16No VPN

routes inthe Core(P)

ip vrf YellowRD 1:100route-target export 1:100route-target import 1:100


32/43

32/21

CE1Forwards

IPv4 Packet

How does it work?How Data Plane is separated

1. PE1 imposes pre allocated label for the prefix

2. Core facing interface allocates IGP label

3. Core swap IGP labels

4. PE2 strips off VPN label and forwards the packet to CE2 as an IP packet

IPv4

IPv4

IPv4

PE1 PE2

CE2CE1IPv4 IPv4

CE2Receives

IPv4 Packet!Interface S1/0ip vrf forwarding Yellow!

P1 P2


33/43

33/21

Verify VPN Prefix - Labels

PE1# sh ip bgp vpnv4 vrf Red labels

Network Next Hop In label/Out label

0.0.0.0 10.1.21.5 22/nolabel10.1.10.0/24 10.1.100.3 nolabel/3710.1.11.0/24 10.1.100.3 nolabel/32

10.1.15.0/24 0.0.0.0 34/aggregate(Red)

PE2# sh ip bgp vpnv4 vrf Red label

Network Next Hop In label/Out label

0.0.0.0 10.1.100.1 nolabel/2210.1.10.0/24 10.1.24.10 37/nolabel10.1.11.0/24 10.1.26.11 32/nolabel

10.1.15.0/24 10.1.100.1 nolabel/34

P2

PE3 loop0: 10.1.100.3

PE1 loop0: 10.1.100.1

P1 loop0: 10.1.100.2


34/43

34/21

Building a legacy MPLSBackbone


35/43

Building a legacy MPLS Backbone( IGP , BGP ,MPLS )

Customer A

branch1

Customer A

branch 2

PE P

P

PE

VRFs areconfigured and

BGP routingupdates areexchanged

IGP routing

updates withinthe cloud

+

all nodes areMPLS enabled

PE-CE routing

Core router used forlabel swapping,doesn't participatein the routingupdates


36/43

36/21

1. Introduction

2. The OSI model

3. HUBs and Switches

4. Routing

5. Introduction to Backbone design

6.Introduction to Securityi. Firewallsii. VPNs

iii. AAA

Contents

I t d ti t S it


37/43

37/21

The Main 3 Security Components

Confidentiality

Integrity Availability

Introduction to Security

I t d ti t S it


38/43

38/21

Firewall TechnologiesPacket filtering

Proxy

Stateful Inspection

Firewall Zones

Firewall Policies

00000000000000000000000000000 000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

00000000000000000000000

000000000000000000000000000

000000000000000000000000000

0000000000000000000000000000000

00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

00000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Corporate Network

Firewall providesaccess control

Deny Traffic

Allow TrafficDeny Some Attacks

Introduction to Security [Contd]Firewalls


39/43

39/21

Nat & PAT and Access Lists

NAT

One to one translation

Access public network

PAT

many to One translation

Lack of public IPs

Access Lists

Standard & Extended

Simple Security

I t d ti t S it


40/43

40/21

VPN Concept VPN Modes

Transport

Tunnel

VPN Phases

VPN Variables

Encryption algorithm

Hash algorithm

Authentication method

Diffie-Hellman group

Introduction to Security [Contd]VPN (Virtual Private Networks)

Introd ction to Sec rit


41/43

41/21

Authentication Authorization

Accounting

Introduction to Security [Contd]AAA

References


42/43

42/21

www.ieee.com www.Cisco.com

www.juniper.com

www.ietf.org

www.net130.com

References


43/43

Questions?

Documents

Backbone Cairo